New Lucid Stealer Targets 18 Browsers, Crypto Wallets, and Discord Tokens With Hidden Remote Access
Cybersecurity NewsArchived Jun 08, 2026✓ Full text saved
A newly identified piece of Windows malware is raising serious concerns among cybersecurity professionals for its wide reach and unusually deep set of capabilities. Discovered through underground channels linked to Telegram, the threat known as Lucid Stealer goes far beyond stealing a few stored passwords. It can take full control of an infected machine without […] The post New Lucid Stealer Targets 18 Browsers, Crypto Wallets, and Discord Tokens With Hidden Remote Access appeared first on Cyber
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
New Lucid Stealer Targets 18 Browsers, Crypto Wallets, and Discord Tokens With Hidden Remote Access
By Tushar Subhra Dutta
June 8, 2026
A newly identified piece of Windows malware is raising serious concerns among cybersecurity professionals for its wide reach and unusually deep set of capabilities.
Discovered through underground channels linked to Telegram, the threat known as Lucid Stealer goes far beyond stealing a few stored passwords. It can take full control of an infected machine without the victim ever noticing anything is wrong.
What makes this malware particularly dangerous is how it disguises itself. The entire malicious package is wrapped inside a legitimate Node.js runtime, making it look like a normal software application to most standard security tools.
This clever packaging allows it to slip past basic defenses while quietly carrying out a wide range of harmful activities in the background.
Researchers at Foresiet identified and statically analyzed this Lucid Stealer build after noticing renewed activity tied to a dedicated Telegram channel promoting the tool as a paid, subscription-based product.
Foresiet said in a report shared with Cyber Security News (CSN) that the sample is far more capable than a typical credential stealer, combining data theft with live remote access in a single build.
The malware is sold as a commercial service, complete with a hosted web panel, license keys, and an active support channel.
The operators briefly shut down the project in late May 2026 before relaunching it days later, announcing a full rebuild of the site and even a planned move away from Node.js toward Java for better evasion. This shows that the people behind it are actively investing in improving and expanding the threat.
The situation is especially serious because infections should be treated as full compromises. Credentials, browser cookies, Discord sessions, crypto wallet keys, and Roblox session data are all at risk the moment the malware runs.
Defenders are urged to act fast and assume everything stored on the infected machine has already been seen by the attacker.
New Lucid Stealer Targets 18 Browsers, Crypto Wallets, and Discord Tokens
Lucid Stealer is built to steal from nearly every corner of a user’s digital life. The analyzed build targets 18 browsers, 21 cryptocurrency clipper formats, seven desktop wallets, seven wallet browser extensions, and four Discord client variants.
Lucid Stealer web authentication panel (Source – Foresiet)
It goes after saved credentials, session cookies, autofill data, and browser history using a bundled SQLite tool to query copied browser databases directly.
The malware injects itself into Discord clients to steal tokens and modify the app to send stolen data back continuously. It also monitors clipboard activity, so any crypto wallet address a victim copies can be silently swapped with one controlled by the attacker.
These capabilities work together to drain both financial accounts and communication platforms at the same time.
What truly sets this threat apart is its remote access module. The malware includes a hidden desktop control feature, called HVNC, that lets operators take over a machine visually without opening any visible window on the victim’s screen.
Combined with a remote shell, a file manager, keylogging, and screenshot capture, the attacker has essentially the same access as if they were sitting in front of the machine themselves.
Infection Chain and Detection Guidance for Defenders
The malware arrives in a password-protected ZIP archive. Once opened, it runs through a layered setup process that drops helper files, sets up persistence in the Windows registry, and optionally tries to gain elevated privileges.
Infection flow (Source – Foresiet)
By the time the main payload decrypts and runs, the attacker already has a stable foothold.
Security teams should focus on behavior-based detection rather than relying only on file hashes, since the operators have already announced plans to rebuild the malware on a new platform.
Hunting for temporary self-copies in the Windows TEMP folder disguised as “winupd” files, suspicious HKCU Run registry entries named WindowsUpdate, and unexpected .node module files appearing in user profiles are among the strongest signals of an active infection.
Network defenders should block all traffic to the known C2 address and watch for repeated POST requests to internal log and upload endpoints as additional confirmation.
Indicators of Compromise (IoCs)
Type Indicator Description
SHA-256 a380e66f381c9f88f4f221906f12b73e1f43517c8e5f6affcaca71fad3340d5f Outer WinZip-AES password-protected ZIP archive
SHA-256 101351cff5f971cd39bd6280be02a5e0e8f08d9874cae78b971e3a421a7050f6 Inner 100 MB Windows x64 Node.js SEA executable (primary payload)
SHA-256 8422c48d6301426a39bf9b3d7f11bdbe e7708e8a4e58171f38a5b5e51a8a53b8 Embedded ~8.5 MB NODE_SEA_BLOB JavaScript loader
SHA-256 cad3f0dde70a5d37c996abee75f39aff8e7603862f071a8c85cb48ee5482750f Decrypted JavaScript stealer/RAT core payload
SHA-256 5e33fe030fb7c3bbe2bca1f70f21a406716961aefdfb1bc030d7c65b7db055e9 Bundled SQLite helper binary
SHA-256 fc52b15848191ad97213d49c7f3c21760e1cc9507d5fb0d77fa75b7620c0deac UAC/elevation native N-API addon
SHA-256 6fb83f431f43d7b13e411676cdaa98d8ce005ffd61eed9d1d117698476acfb44 HVNC hidden desktop control native module
SHA-256 18e61b06068a8dd71e19ed3b117e4b0800f6dfbf252f381961dbb15b44ecc481 RobotJS screen capture and synthetic input addon
SHA-256 f85e5b19198cc4800be76346bb2868abdd45acbb314968cf2fe41cb18b502bfa Canvas addon for screenshots and streaming
IP Address 45[.]138[.]16[.]107:3001 Primary C2 command-and-control endpoint (hard-coded in sample, AS210558)
IP Address 85[.]239[.]155[.]68 Resolving infrastructure for lucidstealer[.]one at analysis time
Domain lucidstealer[.]one User-supplied panel domain
Domain iloveyoulucid[.]space User-supplied panel domain; resolved in DNS at analysis time
Domain ghdfhfjhfg[.]webhop[.]me User-supplied panel domain; no DNS resolution at analysis time
Domain 0kt[.]one User-supplied panel domain; resolved in DNS at analysis time
Domain storedonutsmp[.]net User-supplied panel domain; resolved in DNS at analysis time
URI /upload Stolen-data archive upload endpoint
URI /internal/log Metadata and keylog telemetry endpoint
URI /dc-injector Discord injection payload retrieval endpoint
URI /ws WebSocket C2 communication path
File %TEMP%\winupd_<random>.exe Hidden self-copy of the loader
File %TEMP%_sq3e_<pid>.exe Dropped SQLite helper binary
File %LOCALAPPDATA%\Common\<id>*.node Dropped native addons (UAC, HVNC, RobotJS, Canvas)
File %TEMP%\Data_<hwid>.zip Staged exfiltration archive
File %TEMP%\uac.log.txt Loader and elevation activity log
File %TEMP%\lucid_err.log Loader error log
Registry Key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate Autorun persistence value pointing to loader self-copy
Crypto Address bc1qj0uraqhgquwcwdlhazy7ahzypz7r987z89dhwe BTC clipper replacement address (disabled in this build)
Crypto Address 0x239df70C0d328dEb4187A8B50a70ead8cbb1f48D ETH clipper replacement address (disabled in this build)
Crypto Address LYUQyhrqHS9VXzRkQWRHvVEtr5aCCSoVig LTC clipper replacement address (disabled in this build)
License Key LUCID-M8NJ-SLBQ-ROI2 Embedded license key found in sample configuration
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.
Trending News
Claude Down for Users Worldwide as Hundreds Report Service Issues
Anthropic Expands Project Glasswing Claude Mythos Preview to 150 New Organizations
CISA Warns of critical Magento Cache Warmer RCE flaw Exploited in Attacks
Hackers Use Fake Claude Code Install Page to Deliver Fileless .NET Infostealer
CISA Warns of Linux Kernel Improper Authentication Vulnerability Exploited in Attacks
Latest News
Chrome
Chrome Patches 429 Vulnerabilities Including 22 Critical Ones – Update Now!
Cyber Security
OWASP Releases AI Security Report to Empower Security Professionals with New Tools
Cyber Security News
Internet Explorer WebBrowser Control Attack Chain Turns Clicks Into RCE
Cyber Security News
Multiple VMware Stored XSS Vulnerabilities Allow Attackers to Inject Malicious Scripts
Cyber Security News
UniFi OS Server Critical RCE Chain Allows Root Access Without Credentials